具有SNI的本地HTTPS服务器 [英] Local HTTPS server with SNI
问题描述
关于cURL和SSL的信息很多,但是关于编写服务器的信息并不多.我有一个用PHP编写的小型本地服务器,希望启用TLS/SSL.我的服务器在安全连接下崩溃时遇到问题.我仅收到错误"PHP警告:stream_socket_accept():无法启用加密".我有一台没有TLS的相同服务器,运行正常.我有一个想法,那就是证书,或者是连接/读取证书.但是,我不确定在生成证书,将证书加入PEM的方式或其他方面是否有错误.另外,对于我们的域,我在下面的代码以及证书创建过程中的本地名称中都使用了* .domain.tld.
There is a ton of information available about cURL and SSL, but not so much is out there about writing a server. I have a small local server written in PHP that I would like to have TLS/SSL enabled. I am having issues with my server crashing upon secure connections. I am only receiving the error, "PHP Warning: stream_socket_accept(): Failed to enable crypto". I have an identical server running without TLS, and it is working fine. I have an idea it is the certificates, or the connection to/reading the certificates. However, I am not sure if it is an error on how I generated the certificates, how I have them joined to PEM, or something else. Also, for our domains, I've used *.domain.tld in both the code below, as well as the local name in the cert creation.
此外,Web浏览器中显示的证书显示127.0.0.1证书,而不显示localhost(或其他域)证书,而与请求的域无关.那是因为127.0.0.1被设置为本地证书吗?关于证书-这是我当前用于创建要在服务器上使用的.pem文件的代码:
Furthermore, the certificates shown in the web browser show the 127.0.0.1 cert and not the localhost (or other domains) certificates regardless of the domain requested. Is that because the 127.0.0.1 is set as the local cert? About the certificates- this is my current code for creating the .pem file to use on the server:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout apache.key -out apache.crt
apache.crt apache.key > joined.pem
服务器代码的基本格式是:
A basic rendition of the server code is:
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
$flags = STREAM_SERVER_BIND|STREAM_SERVER_LISTEN;
$ctx = stream_context_create(['ssl' => [
'local_cert' => "{path}/Websites/127.0.0.1/certs/joined.pem",
'SNI_server_certs' => [
"127.0.0.1" => "{path}/Websites/127.0.0.1/certs/joined.pem",
"localhost" => "{path}//Websites/localhost/certs/joined.pem",
]
]]);
stream_context_set_option($ctx, 'ssl', 'ssl_method', 'STREAM_CRYPTO_METHOD_TLSv23_SERVER');
stream_context_set_option($ctx, 'ssl', 'allow_self_signed', true);
stream_context_set_option($ctx, 'ssl', 'verify_peer', false);
stream_context_set_option($ctx, 'ssl', 'ciphers', "HIGH");
$socket = stream_socket_server("tls://127.0.0.1:8443", $errno, $errstr, $flags, $ctx);
while ( $client = stream_socket_accept($socket, "-1", $clientIP)):
$msg = fread($client, 8192);
$resp = "HTTP/1.1 200 OK\r\nContent-type: text/html\r\n\r\n<h1>Hi, you are secured.<br>{$msg}";
fwrite($client,$resp );
fclose($client);
endwhile;
还有一件事情,Chrome浏览器似乎是按照自己的规则运行的,该密码设置为使所有主流浏览器满意的适当密码是什么.
One more thing, what is the proper cipher to set for appeasing all of the major browsers out there, Chrome seems to play by its own rules.
有什么想法我在这里想念的吗?
Any ideas what I am missing here?
推荐答案
我的问题不是在证书创建过程中设置SAN.链接 https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self 更正了我的问题.
My issue was not setting SANs during the certificate creation. The link https://serverfault.com/questions/880804/can-not-get-rid-of-neterr-cert-common-name-invalid-error-in-chrome-with-self corrected my issues.
这篇关于具有SNI的本地HTTPS服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
